Unless you’ve been hiding in a cave for years, you know that everything sent over Wi-Fi is vulnerable to eavesdropping. A handful of hotspots now encrypt user data—usually with WPA—but the vast majority still expect customers to protect themselves. Sadly, many users continue to ignore even this simple threat. Those who know better often defend their data by using VPNs or SSL-protected websites.
Unfortunately, hotspot users who visit websites like Gmail, HotMail, and Yahoo! Mail may be more exposed than they thought.
Live from Las Vegas
During a recent presentation at BlackHat, Errata Security raised a few eyebrows by showing a pair of point-and-click “SideJacking” tools dubbed Ferret and Hamster. The approach taken by Hamster—web session cookie cloning—is not particularly new.
However, by exploiting live BlackHat user traffic to gain access to attendees’ GMail accounts, presenter Robert Graham made the threat posed by SideJacking perfectly clear:
The next time you use an open Wi-Fi hotspot to access a vulnerable website, you may not be alone.
SideJacking is the process of sniffing web cookies, then replaying them to clone another user’s web session. Using a cloned web session, the jacker can exploit the victim’s previously-established site access to change passwords, post mail messages, download files, or take any other action offered by that website.
Unlike some better-known HTTP attacks, SideJacking isn’t about stealing logins or disruptively taking over the victim’s session. It’s about transparently sharing authorized site access with a legitimate user, after that user has already logged in.
According to Errata, “The victim continues to use his/her session, blissfully unaware that we are also in his/her account (although signs such as additional e-mails in the ‘sent’ folders might give a clue).” Worse, for websites that use authentication cookies to persistently maintain login state, the jacker may continue to enjoy that access indefinitely.
SideJacking 1-2-3
Describing a theoretical attack is one thing. Seeing it in action is quite another. To illustrate the real-world risk and raise public awareness, Errata developed a pair of compact, easy-to-use, Windows SideJacking tools.
By combining Ferret and Hamster with freeware WinPcap, a Wi-Fi adapter, and an ordinary web browser, anyone can try his hand at SideJacking. Start by running ferret to sniff web cookies sent by other nearby Wi-Fi users, writing them to hamster.txt. Then run hamster, a tiny (77K) HTTP proxy that clones cookies drawn from hamster.txt. Configure your favorite web browser to use that copy of Hamster as its HTTP proxy. Then browse http://hamster, select an IP address from the list of potential victims, and click on any listed URL to SideJack that web session.
For good measure, Errata included practical how-to hints and step-by-step illustrations in Hamster documentation. For example, to capture live traffic sent by other Wi-Fi users, one needs a Wi-Fi adapter that supports RFMON mode. But the bottom line is that launching a SideJack attack is undeniably easy. Anyone can do it. This is precisely why hotspot visitors to potentially-vulnerable websites like GMail, HotMail, Yahoo! Mail, MySpace, and Facebook should sit up and take notice.
Protecting yourself
The lesson to be learned from this BlackHat demo is that hotspot users really cannot afford to be lax about encrypting data sent over Wi-Fi.
Users who already protect their data with Wi-Fi encryption (e.g., WPA, WPA2) or some type of corporate or personal VPN (e.g., HotSpotVPN, AnchorFree HotSpot Shield, JiWire HotSpot Helper) need not worry about being SideJacked. These measures are still your best bet to stay safe in public Wi-Fi hotspots.
However, users who rely upon visited websites to protect data sent over Wi-Fi must become more vigilant. When establishing an account on any website, take note of whether and how that site uses SSL encryption (usually denoted by https in the URL and a tiny padlock icon). If the website only applies SSL to the login exchange, but fails to protect data sent after login, then the site may well be vulnerable to SideJacking.
On some websites, options exist to use SSL encryption throughout the session—doing so can deter both ordinary eavesdropping and SideJacking and is strongly recommended. However, to prevent offline SideJacking at a later time, also delete cookies immediately after using vulnerable websites—for example, by explicitly logging out of those sites or clearing cookies from the browser. Post-BlackHat BugTraq reports suggest that many websites may be vulnerable to SideJacking when cookies generated during encrypted SSL sessions are cloned and sent at a later time over unencrypted HTTP sessions.
Thanks to the buzz generated by this BlackHat demo, hotspot users have been warned. But given the number of users still surfing websites in the clear, the biggest potential target of this demo may be those website operators who fail to use SSL persistently and are less than strict about authentication cookie reuse. Raising threat awareness is merely the first step—we can only hope that this warning does not fall on deaf ears.
This article was first published on WiFiPlanet.com.
Ethics and Artificial Intelligence: Driving Greater Equality
FEATURE | By James Maguire,
December 16, 2020
AI vs. Machine Learning vs. Deep Learning
FEATURE | By Cynthia Harvey,
December 11, 2020
Huawei’s AI Update: Things Are Moving Faster Than We Think
FEATURE | By Rob Enderle,
December 04, 2020
Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era
ARTIFICIAL INTELLIGENCE | By Guest Author,
November 18, 2020
Key Trends in Chatbots and RPA
FEATURE | By Guest Author,
November 10, 2020
FEATURE | By Samuel Greengard,
November 05, 2020
ARTIFICIAL INTELLIGENCE | By Guest Author,
November 02, 2020
How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
October 29, 2020
Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
October 23, 2020
The Super Moderator, or How IBM Project Debater Could Save Social Media
FEATURE | By Rob Enderle,
October 16, 2020
FEATURE | By Cynthia Harvey,
October 07, 2020
ARTIFICIAL INTELLIGENCE | By Guest Author,
October 05, 2020
CIOs Discuss the Promise of AI and Data Science
FEATURE | By Guest Author,
September 25, 2020
Microsoft Is Building An AI Product That Could Predict The Future
FEATURE | By Rob Enderle,
September 25, 2020
Top 10 Machine Learning Companies 2021
FEATURE | By Cynthia Harvey,
September 22, 2020
NVIDIA and ARM: Massively Changing The AI Landscape
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
September 18, 2020
Continuous Intelligence: Expert Discussion [Video and Podcast]
ARTIFICIAL INTELLIGENCE | By James Maguire,
September 14, 2020
Artificial Intelligence: Governance and Ethics [Video]
ARTIFICIAL INTELLIGENCE | By James Maguire,
September 13, 2020
IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI
FEATURE | By Rob Enderle,
September 11, 2020
Artificial Intelligence: Perception vs. Reality
FEATURE | By James Maguire,
September 09, 2020
Datamation is the leading industry resource for B2B data professionals and technology buyers. Datamation's focus is on providing insight into the latest trends and innovation in AI, data security, big data, and more, along with in-depth product recommendations and comparisons. More than 1.7M users gain insight and guidance from Datamation every year.
Advertise with TechnologyAdvice on Datamation and our other data and technology-focused platforms.
Advertise with Us
Property of TechnologyAdvice.
© 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this
site are from companies from which TechnologyAdvice receives
compensation. This compensation may impact how and where products
appear on this site including, for example, the order in which
they appear. TechnologyAdvice does not include all companies
or all types of products available in the marketplace.
